-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot decrypt RSA OAEP? #153
Comments
This code is suspect (file
|
Yes, I also suspect that. This is why it is essential to check whether it worked before, and which commit broke it. You may use |
I just checked. Commit 0206efb does not work with this either. |
With OpenSSL-1.0.2, opensc master and libp11 master: running gdb --args openssl rsautl -engine pkcs11 -keyform ENGINE -decrypt -inkey "pkcs11:manufacturer=piv_II;object=KEY%20MAN%20key;type=private" -oaep -in t256.dat.enc -out t256.dat.dec
This shows that the rsautl is expecting the PKCS11 module to support OAEP padding. If the intent was to have OpenSSL do padding removal after calling PKCS#11 CKM_RSA_X_509 to do the raw RSA operation, this looks like it is not going to work. |
I see.
I see. I'd love to see that support added.
Yes, I think the intent described above would be the most logical solution, as few (if any) tokens support fancy padding directly - and most of them (all of them?) support raw RSA. From your explanation I see why it cannot work as is - OpenSSL and OpenSC/libp11 implementations "point finger at each other" (figuratively speaking) regarding who should remove the padding, and neither one actually does it. I do not know what is simpler, or likelier to happen (especially for the 1.0.2 branch):
What's your opinion? (I'm not asking which path is more elegant - but rather which path has a better chance to be actually implemented and deployed.) Update. I checked my test-program (C code) that programmatically invokes OpenSSL and PKCS#11 engine to "wrap" and "unwrap" (aka encrypt and decrypt) a symmetric key using RSA-OAEP. It still works correctly with the current This is the code sample that works now (error checks and recovery removed for compactness):
|
The OpenSSL-1.1 does the same thing. From your https://github.com/OpenSC/libp11/files/911548/libp11-decr.txt it has: 100: C_DecryptInit And I don't see how the OpenSSL rsautil or the libp11 would select CKM_RSA_PKCS? @mouse07410 you asked: "I do not know what is simpler, or likelier to happen" Its complicated because PKCS#11 2.40 Section 2.1.8 "PKCS #1 RSA OAEP" says: So based on what rsautl does for parameters, it needs to provide them to PKCS#11. OpenSSL using software, .crypto/rsa/rsa_pmeth.c pkey_rsa_decrypt checks for But in rsautl it looks like it just jumps to doing assuming PKCS11 can do it but does not pass in any parameters. So it looks like rsautl is the problem. And it is not clear what parameters are the default, or if they can be provided. (I have not looked at the OpenSSL code to see if there is a default. ) If you wanted to have your own version of rsautil, that relied on the lower level engine code, and not pkcs11 you might get it to work with out changes to libp11 or opensc. If there is a default for the parameters, then OpenSC mods to support CKM_RSA_PKCS_OAEP |
Ah, but that assumes that the PKCS#11 device would process OAEP? I'd like to constrain the PKCS11 part to the raw RSA if at all possible - because (a) OpenSC seems to rely upon OpenSSL in any case, and (b) it looks like OpenSSL can process OAEP perfectly well (as my code sample above proves).
Again, I'd rather that OpenSSL took care of OAEP by itself, and passed only the raw RSA down to the PKCS11 end. And that's what it must be doing with the encryption, otherwise both
It looks like that. So BTW, here's what I get from
|
Turns out the problem is in Hopefully, eventually we'll see both: |
Current master:
Not sure if the log would be of use:
libp11-decr.txt
The text was updated successfully, but these errors were encountered: